CLAIMS 



What is claimed is: 

1. An c Lrticle of manufacture including a sequence of instructions stored 
on a computer- readable media which when executed by a network node cause 
the network noffle to perform the acts of: 

modifying an alert variable based on data transmissions originating from 
one or more suspect nodes; 

triggeringla first response when said alert variable reaches a first 
predetermined tnreshold level; and 

triggering a second response when said alert variable reaches a second 
predetermined threshold level 

2. The article of manufacture as claimed in claim 1 further including the 
step of triggering additional responses when said alert variable reaches one or 
more additional threshold levels. 

3. The article of manufacture as claimed in claim 1 wherein one of said 
triggered responses includes a passive scan of one or more of said suspect nodes. 

4. The article of manufacture as claimed in claim 3 wherein said passive 
scan includes the step of recording data transmissions in a log file. 

5. The article of manufacture as claimed in claim 1 wherein one of said 
triggered responses inqludes an active scan of one or more of said suspect nodes. 
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1 6. The artkle of manufacture as claimed in claim 5 wherein said active 

2 scan includes the step of retrieving information about one or more of said 

3 suspect nodes including the network address of said suspect nodes. 

1 7. The article ofWianufacture as claimed in claim 5 wherein said active 

2 scan includes the step of determining the network route taken by data 

3 originating from one or mpre of said suspect nodes. 
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1 8. The article of manufacture as claimed in claim 1 wherein one of said 

2 triggered responses includes said network node requiring increased 

3 authentication from any other node before providing access to its resources. 

1 9. The article of manufacture as claimed in claim 8 wherein said 

2 increased authentication includes the step of forcing two or more logins before 

3 providing access to its resource 



id 



1 10. The article of manufacture as claimed in claim 1 wherein one of said 

2 triggered responses includes the step of blocking incoming data transmissions. 



1 11. The article of manufacture 

2 variable responds differently ovei 



variable continuously increases in 



as claimed in claim 1 wherein said alert 
time to particular types of data transmissions. 



12. The article of manufact ire as claimed in claim 11 wherein said alert 



•esponse to the continuous receipt of a 



particular type of data transmission until the alert variable reaches a 
predetermined value. 
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1 13. The article of manufacture as claimed in claim 12 wherein said 

2 particular type of data transmission originating from said suspect node is an 

3 invalid login attempt. 

1 14. The article ofi manufacture as claimed in claim 11 wherein said alert 

2 variable initially increases in response to the continuous receipt of a particular 

3 type of data transmission and subsequently decreases in response to the 

4 continued receipt of said particular type of data transmission. 

l 15. The article of manufacture as claimed in claim 14 wherein said 

□ 2 particular type of data transmission originating from said suspect node is a 

r-p 3 transmission which retrieves information about said network node (e.g., the 

4 "ping" command). 
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1 16. The article of manufacture as claimed in claim 1 wherein said data 

2 transmissions are analyzed by said network node on a network packet level. 



! tf l 17. The article of manufacture as claimed in claim 16 wherein said data 

2 transmissions are filtered by said network node on a network packet level. 

1 18. An article of manufacture including a sequence of instructions stored 

2 on a computer-readable media which when executed by a network node cause 

3 the network node to perform the acts of: 

4 modifying a first suspect-specific alert variable based on data 

5 transmissions originating from a first suspect node; and 

6 modifying a second suspect-specific alert variable based on data 

7 transmissions originating from a second suspect node; and 



EL431888817US 40 03845.P001 

TCW 



8 triggering a suspect-specific response when either of said suspect-specific 

9 alert variables reach a predetermined threshold level. 
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19. The article 6f manufacture as claimed in claim 18 including the act of 
triggering additional ^uspect-specific responses when either of said suspect- 
specific alert variables reaches additional predetermined threshold values. 



20. The articte of manufacture as claimed in claim 18 including the act of 



modifying an overa' 



alert variable based on said data transmissions originating 



from each of said su >pect nodes. 

21. The article of manufacture as claimed in claim 20 including the act of 
triggering a response towards each one of said plurality of suspect nodes when 
said overall alert variable reaches a predetermined threshold value. 

22. The article of manufacture as claimed in claim 20 wherein said overall 
alert variable is mire responsive to new types of data transmissions than to data 
transmissions previously received at said network node. 

23. The article of manufacture as claimed in claim 22 including the act of 



initially increasing 
originating from a 



; said overall alert variable in response to data transmissions 
particular suspect node and subsequently decreasing said 
overall alert variable upon continued receipt of said data transmissions from said 
particular suspect* node. 
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24. The 
communicating 
database residing 



article of manufacture as claimed in claim 18 including the act of 
epch of said suspect-specific alert variables to a network 
on a server node. 



25. The art cle of manufacture as claimed in claim 20 including the act of 



communicating sa 
server node. 



overall alert variable to a network database residing on a 
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1 26. An article of manufacture including a sequence of instructions stored 

2 on a computer-readable media which when executed by a network server node 

3 cause the network server node to perform the acts of: 

4 storing a plurality of suspect-specific alert variables for a plurality of 

5 network nodes; 

6 modifying a network alert variable based on the value of each of said 

7 plurality of suspect-specific alert variables; and 

8 triggering a network response when said network alert variable reaches a 

9 predetermined threshold level. 

1 27. The article of manufacture as claimed in claim 26 wherein said 

2 network response includes the act of notifying each of the plurality of network 

3 nodes that they should ealfh increase their suspect-specific alert variable towards 

4 a particular suspect node. 

\ 

1 28. The article of ma nuf acture as claimed in claim 27 wherein said 

2 network response includes the act of said network server node initiating a 

3 passive scan of a particular slispect node. 
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1 29. The article of manufacture as claimed in claim 27 wherein said 

2 network response includes the act of said network server node initiating an 

3 active scan of a particular suspect node. 

1 30. The article of manufacture as claimed in claim 29 wherein said 

2 network response includes the act of blocking all communication between said 

3 suspect node and said plurality of network nodes. 
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31. An article of manufacture including a sequence of instructions stored 
on a computer-readable medial which when executed by a network server node 
cause the network server node rto perform the acts of: 

storing a plurality of overall alert variables for a plurality of network 

nodes; 

modifying a network alert variable based on the value of each of said 
plurality of overall alert variables; and 

triggering a network resp anse when said network alert variable reaches a 
predetermined threshold level. 

32. A method comprising?: 
receiving a first event froija a suspect node; 

i 

recording said first event ijn a first data structure having an event count 



value; 



of a same type as said first event. 



receiving a second event from said suspect node, said second event being 



recording said second event in said first data structure and incrementing 
said count value if said second event occurs within a predetermined window of 



time after said first event. 
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1 33. The method as claimed in claim 32 further comprising recording said 

2 second event in a second data structure having a count value if said second event 

3 occurs outside of said predetermined window of time after said first event. 

1 34. The method as claimed in claim 33 wherein said predetermined 

2 window of time is increased responsive to said second event occurring outside of 

3 said predetermined window of time. 
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1 35. The methpd as claimed in claim 32 wherein said predetermined 

2 window of time is modified based on said first or second event type. 

1 36. The methoa as claimed in claim 35 wherein said window of time is 

2 increased for more serpus event types and decreased for less serious event 

3 types. 



1 37. The method as claimed in claim 36 wherein said event type is an 

2 invalid login. 



38. The method a^ claimed in claim 36 wherein said event type is a ping. 



1 39. The method as claimed in claim 32 further comprising generating a 

2 report of all new events wmich occur over a predetermined time period. 



1 40. The method as c 

2 new event by: 
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3 determining whether said event is included in a single data structure with 

4 one or more pervious {events received in a time period preceding said 

5 predetermined time period; 

6 searching all data structures generated during said time period preceding 

7 said predetermined time period if said event is not included in said single data 

8 structure with one or more previous events; and 

9 including said event in said report if said event is not identified in any 

10 data structures generated during said time period preceding said predetermined 

11 time period. \ 
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